Bug#692650: Patches for CVE-2012-5783 and CVE-2012-5784
Alberto Fernández
infjaf at gmail.com
Thu Dec 6 12:49:07 UTC 2012
Hi All,
I've prepared the patch with the problem pointed by David fixed (thanks
David). It also fixes a bug related to wildcard certificates.
The first patch is backported from httpclient 4.0 and apache synapse.
This second patch backports some fixes from httpclient 4.2
The patch differ a lot from 4.x line for two reasons: first, the code
arquitecture changes, second , I want to mantain the 3.1 api unchanged,
so all methods are private and only apply to one class.
The patch for axis and commons-httpclient is the same. In the function
they create a SSLSocket, I've put the same routine to validate the
hostname against certificate valid names.
I'll upload the new patches in their place.
Please review them and when ready I can upload a new package to mentors.
Thanks
More information about the pkg-java-maintainers
mailing list